Notification Callbacks and Secrets

I’m working on a python notification_callback and looking for advice on managing secrets specifically in an AWX context. If I use ENV vars for the vault password I’m able to do everything, however in AWX the vault password is passed using --ask-vault-pass and I’m not able to decrypt things.

  • The python can use the requests module to call a URL, but I still need to access a secret some how. Even if I use a 3rd party vault I still need to store and access the secret for that in ansible/AWX context.
  • I’ve also POC’d using ansible_runner to run a play to do the notification, works great when the ENV vars are set, but not when using --ask-vault-pass which is how AWX jobs manage vault access.

Some questions:

  • Does ansible.cfg support vaulted settings, if so please help me with the documentation.
  • Is there a way to get to the vault password in python in the notification_callback context, is there a data structure or api?
  • Is there an example callback that uses encrypted secrets? ARA and slack don’t seem to encrypt tokens, mail is local only, etc.